However, it is also possible to access data by using the Request index object.
When this object is used, the information may be included within the query string or
within a posted form field. If the application chooses to access data by using the
Request index object instead of the Page.Form field, then parameters for a XSS exploit
may be placed into the query string instead of in a POST body. Of course, the ability to
perform this substitution is dependent on how the application decides to access data.
However in complicated exploit scenarios, this behavior can greatly simplify exploit
writing.
This concludes the discussion of Cross-Site Scripting in ASP.Net. As you can see, ASP
.Net provides several mechanisms to assist in preventing script injection. Remember that
the majority of these protections require active effort on the part of the developer. With
the short deadlines most application developers are under, it is common for mishandling
of data to be overlooked.
128 Hacking Exposed Web 2.0
VIEWSTATE
If you look at a form submission to an ASP.Net application, you will likely notice that
almost every Submit action carries with it a _VIEWSTATE parameter. This parameter is
used by ASP.
Pages:
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252